Hi all,
In relation to my previous post (unanswered,
http://groups.google.com/group/django-users/browse_ thread/thread/aad6fc7e6ad71b4f )
I would like to ask about the security implications of doing the
following:
What I would like to have in the template is:
{{ form.tueren.A}}
{{ form.tueren.B }},
etc.
If I inherit from form.Field and create a tueren FormField with
attributes A,B, etc. I have a direct access to it via
form.fields['tueren'], so
I can write in the template:
{{ form.fields.tueren.A}}
{{ form.fields.tueren.B }}
However, this effectively circumvents the default mechanism of
instantiating a BoundField that restricts the use of the Field in
certain ways, so I was wondering what kind of security repercussions
this might have?
Best regards,
Venelin Petkov
I don't know why you think there would be security implications. Your templates are under your control, on your server, so assuming your server is reasonably secure there's nothing an attacker can do - actually, even if it isn't, there's nothing an attacker can do that wouldn't be easier in the views, which they would also have access to if they broke in.
The reason for the BoundField distinction is nothing to do with security, it's - as the name implies - that the field is bound to a value, which can then be displayed or validated. If you bypass that, you lose most of the functionality of fields and therefore most of the reason for using them in the first place.
--
DR.
-- You received this message because you are subscribed to the Google Groups "Django users" group.
To view this discussion on the web visit https://groups.google.com/d/msg/django-users/-/tIXNubMfTpcJ.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to django-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
No comments:
Post a Comment